MyCity » Ambulanta -> Arhiva Ambulante » a variant of Win32/Conficker.Gen worm

a variant of Win32/Conficker.Gen worm

Napisano na dan: 24.7.2009

a variant of Win32/Conficker.Gen worm

Sledeća strana

Pagination

Odgovori

puela Poslao: 24 Jul 2009 18:12 Idi na vrh
offline puela Građanin Pridružio: 06 Jan 2006 Poruke: 64	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav sjajnoj ekipi iz Ambulante! Imam problem sa ovom malom napasti. Nod32 mi već neko vreme izbacuje obaveštenje o njemu. Juče i prekjuče po jedno, a danas tri. Evo spisak logova: 24.7.2009 18:00:35 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. Citat:Time Module Object Name Threat Action User Information 24.7.2009 18:00:35 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 24.7.2009 18:00:27 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\dkzt[1].jpg a variant of Win32/Conficker.Gen worm deleted NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe. 24.7.2009 18:00:21 IMON file http://10.80.100.110:5590/dkzt a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM 24.7.2009 15:15:38 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\coxk[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 24.7.2009 15:15:38 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 24.7.2009 15:15:22 IMON file http://10.80.100.120:9899/coxk a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM 24.7.2009 12:18:03 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\coxk[1].bmp a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 24.7.2009 12:17:52 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 24.7.2009 12:17:34 IMON file http://10.80.100.120:9899/coxk a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM 23.7.2009 17:26:14 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\zhoeixkh[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 23.7.2009 17:25:49 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 23.7.2009 17:24:27 IMON file http://10.80.100.110:5590/zhoeixkh a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM 22.7.2009 20:36:45 AMON file C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OXEZWPI3\hujsacp[1].png a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 22.7.2009 20:35:21 AMON file C:\WINDOWS\system32\x a variant of Win32/Conficker.Gen worm quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window. 22.7.2009 20:35:00 IMON file http://10.80.100.110:5590/hujsacp a variant of Win32/Conficker.AA worm NT AUTHORITY\SYSTEM 19.7.2009 19:27:05 AMON file F:\Autorun.inf INF/Autorun virus deleted NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe. I HijackThis po upustvu iz izdvojene teme Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:03:57, on 24.7.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\ana\Desktop\New Folder\trr4.exe.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O8 - Extra context menu item: Add to Google Photos Screensa&ver - [Link mogu videti samo ulogovani korisnici]\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [Link mogu videti samo ulogovani korisnici] O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5415 bytes Hvala unapred!

Profil

dr_Bora Poslao: 24 Jul 2009 20:57 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav... Preuzmi program RootRepeal na Desktop. Raspakuj RootRepeal.zip u neki folder. Dvoklikom pokreni RootRepeal.exe. Pređi na Report karticu (klikom na Report taster, dole, desno). Klikni Scan taster. U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK. U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK. Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju. Priloži izveštaj uz poruku korišćenjem opcije Prikači fajl.

Profil

puela Poslao: 24 Jul 2009 21:36 Idi na vrh
offline puela Građanin Pridružio: 06 Jan 2006 Poruke: 64	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Hvala dr Bora na brzom odgovoru. Raport sam prikačila. [Link mogu videti samo ulogovani korisnici]

Profil

dr_Bora Poslao: 24 Jul 2009 21:48 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Vlo je moguće da se ovde ne radi o malware-u koji je na kompjuteru već o malware-u koji pokušava da uđe u njega (Conficker je mrežni crv). Za početak instaliraj ovaj patch: [Link mogu videti samo ulogovani korisnici] Nakon toga odradi i sledeće... Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop: Bleeping Computer Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu); Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save. Kada preuzimanje programa bude završeno: zatvori pokrenute programe; deaktiviraj zaštitni softver (uputstvo); dvoklikom pokreni program ComboFix. U toku rada, ComboFix će:proveriti postoji li novija verzija programa: klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE: klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju: prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja: prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta); na kraju rada, otvoriti Notepad sa izveštajem o skeniranju. Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu: klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All; klikni desnim tasterom miša na obeleženi tekst i izaberi Copy; klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste. Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt); Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

Profil

puela Poslao: 24 Jul 2009 23:14 Idi na vrh
offline puela Građanin Pridružio: 06 Jan 2006 Poruke: 64	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Hvala Dr Bora! Imam pitanje u vezi tog da je "mrežni". Ja nisam ni sa kim umrežena, jedino ako je to moguće preko internet veze nekako, ja imam wireless? Evo izveštaja Combofix-a. ComboFix 09-07-23.04 - ana 24.07.2009 22:56.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.87 [GMT 2:00] Running from: c:\documents and settings\ana\Desktop\ComboFix.exe AV: ESET NOD32 antivirus system 2.70 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: Outpost Firewall Pro disabled {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 ))))))))))))))))))))))))))))))) . 2009-07-24 13:56 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2009-07-24 13:56 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys 2009-07-17 20:39 . 2009-07-17 20:52 -------- d-----w- c:\documents and settings\ana\Local Settings\Application Data\Temp 2009-07-14 11:56 . 2009-07-14 11:56 -------- d-----w- c:\documents and settings\ana\.thumbnails 2009-07-14 11:54 . 2009-07-14 16:13 -------- d-----w- c:\documents and settings\ana\.gimp-2.6 2009-07-14 11:54 . 2009-07-14 11:54 -------- d-----w- c:\documents and settings\ana\.gegl-0.0 2009-07-14 11:53 . 2009-07-14 11:53 -------- d-----w- c:\program files\GIMP-2.0 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-23 15:27 . 2007-05-23 15:07 -------- d-----w- c:\program files\CCleaner 2009-07-22 19:10 . 2009-03-26 23:50 -------- d-----w- c:\documents and settings\ana\Application Data\HPAppData 2009-07-19 20:36 . 2007-07-16 15:59 -------- d-----w- c:\documents and settings\ana\Application Data\foobar2000 2009-07-18 00:11 . 2009-07-18 08:18 3608064 ----a-w- c:\windows\Internet Logs\xDBF.tmp 2009-07-15 08:28 . 2007-10-16 07:31 18131284 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2009-07-14 16:13 . 2007-05-09 20:16 -------- d-----w- c:\documents and settings\ana\Application Data\gtk-2.0 2009-07-12 16:19 . 2008-04-22 22:13 -------- d-----w- c:\documents and settings\ana\Application Data\Any Video Converter 2009-06-13 01:54 . 2009-06-13 09:17 2637824 ----a-w- c:\windows\Internet Logs\xDBE.tmp 2009-06-10 19:50 . 2007-04-26 08:15 77432 ----a-w- c:\documents and settings\ana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-27 17:18 . 2009-05-27 17:18 -------- d-----w- c:\program files\AskBarDis 2009-05-27 17:13 . 2007-05-25 13:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-05-19 12:22 . 2009-05-19 12:22 390664 ----a-w- c:\documents and settings\ana\Application Data\Real\RealPlayer\Update\RealPlayer11.exe 2007-03-20 21:47 . 2007-07-10 01:38 1748224 ----a-w- c:\program files\Foxit PDF Reader v2.0 Build 1516.exe 2005-08-26 11:38 . 2007-07-13 19:26 933888 ----a-w- c:\program files\FontViewer.exe 2009-07-19 09:18 . 2008-06-17 19:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll 2007-08-21 05:04 . 2007-04-28 18:47 56 --sh--r- c:\windows\system32\BEAC641D62.sys 2007-11-13 21:03 . 2007-04-28 18:43 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "Google Update"="c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-04 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-04-23 46080] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-04-26 949376] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-06-18 67584] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-04-23 831488] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^ana^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=c:\documents and settings\ana\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=c:\windows\pss\Last.fm Helper.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [26.4.2007 21:23 15424] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 12:31 98328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57] 2009-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1993962763-1417001333-1003Core.job - c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-04 18:23] 2009-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1993962763-1417001333-1003UA.job - c:\documents and settings\ana\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-04 18:23] . - - - - ORPHANS REMOVED - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\windows\system32\imon.dll FF - ProfilePath - c:\documents and settings\ana\Application Data\Mozilla\Firefox\Profiles\8lmmhfsa.default\ FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici] FF - plugin: c:\documents and settings\ana\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews..wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2009-07-24 23:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(776) c:\windows\system32\imon.dll - - - - - - - > 'explorer.exe'(3908-) c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-07-24 23:08 ComboFix-quarantined-files.txt 2009-07-24 21:08 Pre-Run: 25.048.707.072 bytes free Post-Run: 25.034.227.712 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 175 --- E O F --- 2009-07-24 14:06

Profil

dr_Bora Poslao: 25 Jul 2009 00:10 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Citat:Imam pitanje u vezi tog da je "mrežni". Ja nisam ni sa kim umrežena, jedino ako je to moguće preko internet veze nekako, ja imam wireless? Jedan od metoda širenja (mrežnih) crva je i korišćenje interneta. Anyway... Ovo je čisto. Isprati uputstvo za deinst. korišćenog programa, a nakon toga bi bilo dobro da instaliraš Service Pack 3 i novi Internet Explorer (veoma bitno kako bi PC i dalje bio čist). klikni start (ili ), a zatim RUN. Na Visti koristiti Start Search polje ukoliko Run nije dostupan. U liniju za unos teksta ukucaj (iskopiraj) sledeće: combofix /u Primeti da postoji razmak između "ComboFix" i "/u". a zatim klikni OK (ili pritisni Enter). Sačekaj da se proces deinstalacije završi. To je sve...

Profil

puela Poslao: 25 Jul 2009 00:15 Idi na vrh
offline puela Građanin Pridružio: 06 Jan 2006 Poruke: 64	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Ok! Videću da uradim predloženo Hvala još jednom dr Bora! Svaki put me oduševite brzinom i voljom da pomognete! Puno pozdrava celoj ekipi! Sjajni ste!

Profil

MyCity » Ambulanta -> Arhiva Ambulante » a variant of Win32/Conficker.Gen worm

Ko je trenutno na forumu

Ukupno su 1445 korisnika na forumu :: 90 registrovanih, 12 sakrivenih i 1343 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: 8u47, Agape, Andrija 1993, aramis s, babaroga, Bobrock1, bojankrstc, bojanM84, borya90, BUDDAR70, Cigi, cikadeda, Clouseau, colji, Crazzer, crnogorac, darkojbn, DejanSt, Denaya, Djokislav, Djokkinen, djuradj, Dogma21, dovlafkcz, draganl, dule10savic, francis begbie, Fructo, Frunze, Georgius, glisok, Gogi do, goran.vvv, Hans Gajger, ILGromovnik, kendzo-andzo-boni-fju, Koridor, krca73, Kubovac, LostInSpaceandTime, lucko1, lukisa, majstro, MarkoD, mat, MB120mm, milanpetkovicv, Milometer, Mitraljeta, morava_01, mrav pesadinac, mux, N.e.m.a.nj.a., neko iz mase, nelezele, nemkea71, nenad81, nnnnnnnnnn, Nobunaga, Outis, Papadubi, pein, perko91, Pilence, Povratak1912, Qvazimodo, Ray1973, repac, Sami_1ali, sasakrajina, Shadow soldier, Sirius, Sićko, Sky diver 29, Srki94, stegonosa, suponik, suton, Token, Toper, Trpe Grozni, Tvrtko I, uruk, vathra, Vrač, vukajlo71, wizzardone, XBMC, zdrebac, zeo

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by